You may have heard about the term GDPR Compliance and may be wondering what this is all about.
The General Data Protection Regulation (GDPR) is a regulation for the European Union and the European Economic Area, explicitly created for data protection and privacy and transferring data belonging to
European citizens outside of these designated areas.
What does that mean for your business and its operations?
If you process personal information for European Union citizens or offer goods and services to this region's citizens, this regulation applies to you, regardless of your current location.
Some of the necessary items for GDPR are:
- Data withheld by the business must be lawful, fair, and transparent.
- Data must be collected and processed for the intended purpose and done so lawfully.
- The minimal possible amount of data should be collected for the intended purpose.
- Data collected must be accurate and always kept up to date.
- The collected data should only be kept for the required amount of time for the process.
- Data must follow the CIA Triad security model; it must be kept Confidential, Integral, and Available always.
- The business should be able to account for the data withheld and comply with all of the principles of GDPR.
While these are the essential items to follow as a business through any of the involved processes, there are additional rights that the European citizens hold:
- The user has the right to be informed about the information withheld by the business.
- The user has the right to access the information withheld by the business.
- The user has the right to rectify any information withheld by the business.
- The user has the right to request deletion of data withheld by the business.
- The user has the right to restrict data processing by the business.
- The user has the right to request the transfer of data withheld by the business.
- The user has the right to object to any processes or methods for data processing of the business.
- The user has the right to influence and query automated processes and profiling involving its data.
A final consideration regarding all of these items, both on GDPR and the European Citizens' rights, indicates that all of these processes must be transparent. Evidence must be delivered to the end-user on
how these were achieved.
For additional guidance, here is a short sheet on how to comply with GDPR with additional pointers for each item mentioned in this article.